/**
 * EP字段加密捕获 - 简化版
 * 专注于RSA加密过程
 */

console.log("\n" + "=".repeat(80));
console.log("EP字段加密分析");
console.log("=".repeat(80) + "\n");

function bytesToHex(bytes) {
    let hex = "";
    for (let i = 0; i < bytes.length; i++) {
        const byte = bytes[i] & 0xFF;
        hex += ("0" + byte.toString(16)).slice(-2);
    }
    return hex;
}

// 等待SO库加载
setTimeout(function() {
    console.log("[*] 开始Hook RSA加密...\n");
    
    // Hook RSA_public_encrypt
    const rsaEncrypt = Module.findExportByName("libcrypto.so", "RSA_public_encrypt");
    
    if (rsaEncrypt) {
        console.log("[✓] 找到 RSA_public_encrypt: " + rsaEncrypt);
        
        let callCount = 0;
        
        Interceptor.attach(rsaEncrypt, {
            onEnter: function(args) {
                callCount++;
                this.flen = args[0].toInt32();
                this.from = args[1];
                this.to = args[2];
                this.padding = args[4].toInt32();
                
                console.log("\n" + "█".repeat(80));
                console.log("🔐 RSA_public_encrypt 调用 #" + callCount);
                console.log("█".repeat(80));
                console.log("参数:");
                console.log("  - flen (明文长度): " + this.flen + " bytes");
                console.log("  - padding (填充模式): " + this.padding);
                
                // 填充模式说明
                let paddingName = "Unknown";
                if (this.padding === 1) paddingName = "RSA_PKCS1_PADDING";
                else if (this.padding === 4) paddingName = "RSA_PKCS1_OAEP_PADDING";
                console.log("  - 填充模式名称: " + paddingName);
                
                // 如果明文长度是32字节（AES密钥长度）
                if (this.flen === 32) {
                    console.log("\n💡 这是32字节明文 -> 很可能是AES密钥！");
                    
                    try {
                        const plaintext = this.from.readByteArray(this.flen);
                        const plaintextArray = Array.from(new Uint8Array(plaintext));
                        const plaintextHex = bytesToHex(plaintextArray);
                        
                        console.log("\n【RSA加密前的明文 (AES密钥)】");
                        console.log("HEX: " + plaintextHex);
                        
                        // 保存用于onLeave匹配
                        this.plaintextHex = plaintextHex;
                    } catch(e) {
                        console.log("  [!] 读取明文失败: " + e);
                    }
                }
                
                console.log("█".repeat(80));
            },
            onLeave: function(retval) {
                const resultLen = retval.toInt32();
                
                if (resultLen > 0) {
                    console.log("\n" + "█".repeat(80));
                    console.log("🔓 RSA_public_encrypt 返回");
                    console.log("█".repeat(80));
                    console.log("返回值: " + resultLen + " bytes (密文长度)");
                    
                    // RSA-2048输出256字节
                    if (resultLen === 256) {
                        console.log("💡 256字节密文 -> 这是RSA-2048加密结果！");
                    }
                    
                    if (this.flen === 32 && resultLen > 0) {
                        try {
                            const ciphertext = this.to.readByteArray(resultLen);
                            const ciphertextArray = Array.from(new Uint8Array(ciphertext));
                            const ciphertextHex = bytesToHex(ciphertextArray);
                            
                            console.log("\n【RSA加密后的密文】");
                            console.log("长度: " + resultLen + " bytes");
                            console.log("HEX: " + ciphertextHex);
                            
                            // Base64编码（手动实现）
                            const base64 = btoa(String.fromCharCode.apply(null, ciphertextArray));
                            console.log("\n【Base64编码 (EP字段的值)】");
                            console.log("长度: " + base64.length + " chars");
                            console.log("值: " + base64);
                            
                            console.log("\n✓✓✓ 这就是EP字段！");
                            
                            // 总结
                            console.log("\n【加密流程总结】");
                            console.log("1. 明文: 32字节AES密钥");
                            console.log("   HEX: " + (this.plaintextHex || "(未捕获)"));
                            console.log("2. RSA加密: RSA-2048 + PKCS1Padding");
                            console.log("3. 密文: 256字节");
                            console.log("   HEX: " + ciphertextHex.substring(0, 64) + "...");
                            console.log("4. Base64编码: " + base64.length + " chars");
                            console.log("5. EP字段: " + base64.substring(0, 60) + "...");
                            
                        } catch(e) {
                            console.log("  [!] 读取密文失败: " + e);
                        }
                    }
                    
                    console.log("█".repeat(80) + "\n");
                } else {
                    console.log("\n[!] RSA加密失败，返回值: " + resultLen + "\n");
                }
            }
        });
        
        console.log("[✓] RSA Hook 已激活\n");
    } else {
        console.log("[!] 未找到 RSA_public_encrypt\n");
    }
    
    console.log("=".repeat(80));
    console.log("等待加密调用...");
    console.log("=".repeat(80) + "\n");
    
}, 1000);

// 汇总报告
setTimeout(function() {
    console.log("\n" + "=".repeat(80));
    console.log("📊 EP字段加密方式总结");
    console.log("=".repeat(80));
    console.log("\n【加密算法】RSA-2048");
    console.log("【填充方式】PKCS1Padding");
    console.log("【明文内容】32字节AES-256密钥");
    console.log("【密文长度】256字节");
    console.log("【编码方式】Base64");
    console.log("【EP字段长度】约344字符");
    console.log("\n【加密公式】");
    console.log("  EP = Base64(RSA_PKCS1_Encrypt(AES_Key))");
    console.log("\n" + "=".repeat(80) + "\n");
}, 18000);

